Malicious executables unleashed by unwitting staff have become so much of a threat that enterprises will move to broadly denying PC users the right to download almost anything from the Internet, predicts a report from a security vendor.
The report this week from Hewlett-Packard Co.’s Tipping Point DVLabs, says “the future of personal computing [in organizations] will move toward a default deny model” in which everything not explicitly allowed is forbidden.
Security policies “are going to become more granular, more policy-based,” Dan Holden, the lab’s director, explained in an interview Thursday.
That means some employees may have broader download rights than others – perhaps C-level executives or those in creative jobs like reporters -- but most users will see severe limits.
As an interim measure, the report recommends “strong and comprehensive configuration management” for workstations, servers, firewalls, routes and switches -- including tracking exceptions.
The conclusion comes as the report, an annual list of the top cyber security risks, notes attackers are using more sophisticated techniques than ever to get behind corporate firewalls. The kind of attacks aren’t necessarily increasing – in fact the report notes some have been around for years and going after the same vulnerabilities – but their methods are getting trickier.
The number of attacks from well-known legacy threats continue, the report notes. For example, attacks on Windows XP’s cmdshell using SQL injection dramatically increased in May and June, mainly in China. Older versions of Microsoft SQL Server are vulnerable to this, the report notes. Also, while declining, the Conficker virus continues to show signs of life.
HTTP client and server attacks dramatically increased over the past six months, the report adds.
But what the report authors are most concerned about is the continued targeting of Web-based applications. That’s understandable given that so many business applications run on browsers, and co-author Mike Dausin, DVLabs’ manager of advanced security intelligence admits this isn’t new.
But, he said in an interview, the polished nature of the exploit code is “astounding.”
“We started seeing release notes in some of the code,” he said. Weapons of attackers include automated tools, botnets and search engines, he said to spread malicious JavaScripts and PHP remote file include invasions.
The report also notes a recent increase in Cross Site Request Forgery (CSRF) vulnerabilities, in which a user executes an action in one application while in a secure Web site such as a bank. The report gives an example a user reading email and clicking on a link at the same time as he is logged into a bank Web site. The link starts an attack that leads to the transfer of money if bank doesn’t validate a transfer request.
The disclosure rate of CSRF attacks have been increasing over the past year and a half, says Holden, who wonders when there will be a mass eruption. “When you have a vulnerability that continues to grow, at some point the attackers notice that. There seems to be a sweet spot where they start to leverage it.”
To secure organizations, the report points with approval to the SANS Institute’s Top 20 Critical Security Controls. One of those controls urges organizations have a policy that staff must log off sensitive sites before clicking on email links.
In particular, the report points to says allowing only users to download vetted and signed executables can minimize the chances of malware infection.
The report was complied from data collected by HP TippingPoint DVLabs. The TippingPoint division makes intrusion detection and other security products; Qualsys Inc., a vulnerability and Web application security maker; the SANS Institute, a security training service; and the Open Source Vulnerability Database team.